Merge branch 'master' into ck_default_userinfo_request_method

Author: skanct

NOTICE

@@ -1,5 +1,15 @@
 Copyright 2016 Umeå universitet
 
+   Contributions to this work were made on behalf of the GÉANT project,
+   a project that has received funding from the European Union’s
+   Horizon 2020 research and innovation programme under Grant Agreement No. 731122 (GN4-2).
+   On behalf of the GÉANT project, GEANT Association is the sole owner of the copyright
+   in all material which was developed by a member of the GÉANT project.
+   GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam
+   with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging.
+   Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
+   UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.
+
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

doc/README.md

@@ -43,7 +43,7 @@ in the [example directory](../example).
 | `BACKEND_MODULES` | string[] | `[openid_connect_backend.yaml, saml2_backend.yaml]` | list of plugin configuration file paths, describing enabled backends |
 | `FRONTEND_MODULES` | string[] | `[saml2_frontend.yaml, openid_connect_frontend.yaml]` | list of plugin configuration file paths, describing enabled frontends |
 | `MICRO_SERVICES` | string[] | `[statistics_service.yaml]` | list of plugin configuration file paths, describing enabled microservices |
-| `USER_ID_HASH_SALT` | string | `61a89d2db0b9e1e2` | salt used when creating the persistent user identifier, will be overriden by the environment variable `SATOSA_USER_ID_HASH_SALT` if it is set |
+| `USER_ID_HASH_SALT` | string | `61a89d2db0b9e1e2` | **DEPRECATED - use the hasher micro-service** salt used when creating the persistent user identifier, will be overriden by the environment variable `SATOSA_USER_ID_HASH_SALT` if it is set |
 | `LOGGING` | dict | see [Python logging.conf](https://docs.python.org/3/library/logging.config.html) | optional configuration of application logging |
 
 
@@ -119,7 +119,7 @@ linking, the `user_id_to_attr` configuration parameter should be set, since that
 service will overwrite the user identifier generated by the proxy.
 
 
-### hash
+### hash **DEPRECATED - use the hasher micro-service**
 The proxy can hash any attribute value (e.g., for obfuscation) before passing
 it on to the client. The `hash` key should contain a list of all attribute names
 for which the corresponding attribute values should be hashed before being
@@ -171,7 +171,7 @@ Metadata from remote URL:
 
 For more detailed information on how you could customize the SAML entities,
 see the
-[documentation of the underlying library pysaml2](https://github.com/rohe/pysaml2/blob/master/doc/howto/config.rst).
+[documentation of the underlying library pysaml2](https://github.com/rohe/pysaml2/blob/master/docs/howto/config.rst).
 
 
 ##### Providing `AuthnContextClassRef`
@@ -410,7 +410,7 @@ which should be used when configuring the attribute mapping (see above).
 ### Ping frontend for simple heartbeat monitoring
 
 The ping frontend responds to a query with a simple
-200 OK and is intended to be used as a simple heartbeat monitor, 
+200 OK and is intended to be used as a simple heartbeat monitor,
 for example by a load balancer. The default configuration file can
 be found [here](../example/plugins/frontends/ping_frontend.yaml.example).
 
@@ -581,7 +581,7 @@ The SATOSA proxy is a Python WSGI application and so may be run using any WSGI c
 
 Gunicorn 'Green Unicorn' is a Python WSGI HTTP Server for UNIX and is the server used most often
 to run the proxy. In a production deployment the Gunicorn server is often proxied by a
-full featured general purpose web server (in a reverse proxy architecture) such as Nginx or 
+full featured general purpose web server (in a reverse proxy architecture) such as Nginx or
 Apache HTTP Server to help buffer slow clients and enable more sophisticated error page rendering.
 
 Start the proxy server with the following command:

example/internal_attributes.yaml.example

@@ -40,6 +40,5 @@ attributes:
     orcid: [name.family-name.value]
     openid: [family_name]
     saml: [sn, surname]
-hash: [edupersontargetedid]
 user_id_from_attrs: [edupersontargetedid]
 user_id_to_attr: edupersontargetedid

example/plugins/backends/openid_backend.yaml.example

@@ -4,6 +4,7 @@ config:
   provider_metadata:
     issuer: https://op.example.com
   client:
+    verify_ssl: yes
     auth_req_params:
       response_type: code
       scope: [openid, profile, email, address, phone]

example/plugins/backends/saml2_backend.yaml.example

@@ -39,6 +39,7 @@ config:
             text: "http://sp.logo.url/"
             width: "100"
             height: "100"
+        authn_requests_signed: true
         want_response_signed: true
         allow_unsolicited: true
         endpoints:
@@ -48,5 +49,6 @@ config:
           discovery_response:
           - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
         name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        name_id_format_allow_create: true
   # disco_srv must be defined if there is more than one IdP in the metadata specified above
   disco_srv: http://disco.example.com

example/plugins/frontends/openid_connect_frontend.yaml.example

@@ -9,3 +9,7 @@ config:
     response_types_supported: ["code", "id_token token"]
     subject_types_supported: ["pairwise"]
     scopes_supported: ["openid", "email"]
+    extra_scopes:
+      foo_scope:
+	  - bar_claim
+	  - baz_claim

example/plugins/frontends/saml2_frontend.yaml.example

@@ -52,5 +52,14 @@ config:
     "https://accounts.google.com": LoA1
 
   endpoints:
-    single_sign_on_service: {'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post,
-      'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect}
+    single_sign_on_service:
+      'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': sso/post
+      'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': sso/redirect
+
+  # If configured and not false or empty the common domain cookie _saml_idp will be set
+  # with or have appended the IdP used for authentication. The default is not to set the
+  # cookie. If the value is a dictionary with key 'domain' then the domain for the cookie
+  # will be set to the value for the 'domain' key. If no 'domain' is set then the domain
+  # from the BASE defined for the proxy will be used.
+  common_domain_cookie:
+    domain: .example.com

example/plugins/microservices/hasher.yaml.example

@@ -0,0 +1,39 @@
+module: satosa.micro_services.hasher.Hasher
+name: Hasher
+config:
+  # default settings that apply to every requester
+  "":
+    # default salt configuration is required
+    salt: abcdef0123456789
+
+    # the hash algorithm to use (default: sha512)
+    alg: sha256
+
+    # whether subject_id should be hashed (default: yes)
+    subject_id: yes
+
+    # a list of attributes to hash (default: [])
+    attributes:
+    - edupersontargetedid
+
+  # specific settings for requester 'some_entityid'
+  some_entityid:
+    # for this requester use sha1
+    alg: sha1
+
+    # do not hash any attributes
+    # if this is missing the defaults will be used
+    attributes: []
+
+  # specific settings for requester 'some_other_entityid'
+  some_other_entityid:
+    # for this requester only use this salt
+    salt: abcd1234
+
+    # do not hash subject_id
+    subject_id: no
+
+    # only hash the following attributes
+    attributes:
+    - gender
+    - identifier

example/plugins/microservices/ldap_attribute_store.yaml.example

@@ -1,51 +1,65 @@
-module: plugins.microservices.ldap_attribute_store.LdapAttributeStore
+module: LdapAttributeStore
 name: LdapAttributeStore
 config:
-  ldap_url: ldaps://ldap.example.org
-  bind_dn: cn=admin,dc=example,dc=org
-  bind_password: xxxxxxxx
-  search_base: ou=People,dc=example,dc=org
-  search_return_attributes:
-    # format is LDAP attribute name : internal attribute name
-    sn: surname
-    givenName: givenname
-    mail: mail
-    employeeNumber: employeenumber
-    isMemberOf: ismemberof
-  idp_identifiers:
-    # Ordered list of identifiers asserted as attributes by
-    # IdP to use when constructing search filter to find
-    # user record in LDAP directory. This example searches
-    # in order for eduPersonUniqueId, eduPersonPrincipalName
-    # combined with SAML persistent, eduPersonPrincipalName
-    # combined with eduPersonTargetedId,
-    # eduPersonPrincipalName, SAML persistent, and 
-    # eduPersonTargetedId.
-    - epuid
-    - 
-      - eppn
-      - name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-    -
-      - eppn
-      - edupersontargetedid
-    - eppn
-    - name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-    - edupersontargetedid
-  ldap_identifier_attribute: uid
-  # Whether to clear values for attributes incoming
-  # to this microservice. Default is no or false.
-  clear_input_attributes: no
-  # List of LDAP attributes to use as input to hashing to create
-  # NameID.
-  user_id_from_attrs:
-    - employeeNumber
+  "":
+      ldap_url: ldaps://ldap.example.org
+      bind_dn: cn=admin,dc=example,dc=org
+      bind_password: xxxxxxxx
+      search_base: ou=People,dc=example,dc=org
+      search_return_attributes:
+        # Format is LDAP attribute name : internal attribute name
+        sn: surname
+        givenName: givenname
+        mail: mail
+        employeeNumber: employeenumber
+        isMemberOf: ismemberof
+      # LDAP connection pool size
+      pool_size: 10
+      # LDAP connection pool seconds to wait between calls out to server
+      # to keep the connection alive (uses harmless Abandon(0) call)
+      pool_keepalive: 10
+      ordered_identifier_candidates:
+        # Ordered list of identifiers to use when constructing the
+        # search filter  to find the user record in LDAP directory. 
+        # This example searches in order for eduPersonUniqueId, eduPersonPrincipalName
+        # combined with SAML persistent NameID, eduPersonPrincipalName
+        # combined with eduPersonTargetedId, eduPersonPrincipalName, 
+        # SAML persistent NameID, and eduPersonTargetedId.
+        - attribute_names: [epuid]
+        - attribute_names: [eppn, name_id]
+          name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        - attribute_names: [eppn, edupersontargetedid]
+        - attribute_names: [eppn]
+        - attribute_names: [name_id]
+          name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+          add_scope: issuer_entityid
+        - attribute_names: [edupersontargetedid]
+          add_scope: issuer_entityid
+      ldap_identifier_attribute: uid
+      # Whether to clear values for attributes incoming
+      # to this microservice. Default is no or false.
+      clear_input_attributes: no
+      # List of LDAP attributes to use as input to hashing to create
+      # NameID.
+      user_id_from_attrs:
+        - employeeNumber
+      # Where to redirect the browser if no record is returned
+      # from LDAP. The default is not to redirect.
+      on_ldap_search_result_empty: https://my.vo.org/please/go/enroll
   # Configuration may also be done per-SP with any
   # missing parameters taken from the default if any.
   # The configuration key is the entityID of the SP.
   #
   # For example:
-  https://sp.myserver.edu/shibboleth-sp
+  https://sp.myserver.edu/shibboleth-sp:
     search_base: ou=People,o=MyVO,dc=example,dc=org
-    eduPersonPrincipalName: employeenumber
+    search_return_attributes:
+        employeeNumber: employeenumber
+    ordered_identifier_candidates:
+      - attribute_names: [eppn]
     user_id_from_attrs:
       - uid
+  # The microservice may be configured to ignore a particular SP.
+  https://another.sp.myserver.edu:
+    ignore: true
+  

example/proxy_conf.yaml.example

@@ -13,7 +13,6 @@ FRONTEND_MODULES:
   - "plugins/frontends/saml2_frontend.yaml"
 MICRO_SERVICES:
   - "plugins/microservices/static_attributes.yaml"
-USER_ID_HASH_SALT: "61a89d2db0b9e1e27d490d050b478fe71f352fddd3528a44157f43e339c6c62f2362fb413179937d96172bf84233317"
 LOGGING:
   version: 1
   formatters:
@@ -40,4 +39,4 @@ LOGGING:
       propagate: no
   root:
     level: INFO
-    handlers: [info_file_handler]
+    handlers: [info_file_handler]